Add and edit roles with authorize.conf

You can add or modify roles by editing authorize.conf. Users are assigned to roles that determine their level of access and the tasks that they can perform. For more information about roles and capabilities, read About role-based user access.

Never edit or delete roles in $SPLUNK_HOME/etc/system/default/authorize.conf. This could break your admin capabilities. Instead edit the local version at $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/.

You must reload authentication or restart Splunk Enterprise after making changes to authorize.conf. Otherwise, your new roles will not appear in the Role list. To reload authentication, go to the Manager > Authentication section of Splunk Web. This refreshes the authentication caches, but does not boot current users from the system.

Note: Distributed search configurations have slightly different authorization needs. When you use search head clustering, you must make sure that the search heads and the search peers all use the same set of authorize.conf file(s). To make sure your authorization is properly set up for search pooling, see How authorization works in distributed searches.

Add roles

Here's the syntax for adding roles through $SPLUNK_HOME/etc/system/local/authorize.conf:

[role_<roleName>]
<attribute> = <value>
<attribute> = <value>
...

The <roleName> in the stanza header is the name you want to give your role. For example: security, compliance, ninja.

Role names must use lowercase characters only. They cannot contain spaces, colons, semicolons, or forward slashes.

You can include these attributes in the role stanza:

<capability> = enabled

You can add any number of capabilities to a role. To add a capability to a role, just set that capability to "enabled".

When set, the current role inherits the capabilities from <role>. Members assigned to multiple roles inherit properties from the role with the broadest permissions. If you enter multiple roles, separate them with semicolons.

This attribute is unset by default and roles do not import other roles.
See Role inheritance in the "About users and roles" topic for more information.

srchFilter = <search_string>

Use this field for fine-grained access controls. Searches for this role will be filtered by this expression.

By default this field is unset and Splunk Enterprise does not filter searches.

This is the maximum time span (in seconds) allowed for a search executed by a user in this role.

This attribute is unset by default and search times are not limited.

srchDiskQuota = <int>

This is the maximum amount of disk space (MB) that can be used by search jobs performed by a user assigned to this role.

This attribute defaults to '100', for 100 MB.

cumulativeSrchJobsQuota = <number>

Maximum number of concurrently running historical searches that all members of this role can have. For this attribute to be applied, you must also set enable_cumulative_quota = true in limits.conf.

When a user belongs to multiple roles, then the user uses searches from the roles with the largest cumulative search quota first. When the quota that role is completely used up, roles with lower quotas are used.

The default is unset.

cumulativeRTSrchJobsQuota = <number>

The maximum number of concurrently running real-time searches that all members of this role can have. For this attribute to apply, you must also set enable_cumulative_quota = true in limits.conf.

If the user belongs to multiple roles, then the user uses searches from the roles with the largest cumulative search quota first. When the quota that role is completely used up, roles with lower quotas are used.

The default is unset.

srchJobsQuota = <int>

Maximum number of concurrently running searches a member of this role can perform.

Defaults to 3 concurrent searches.

rtSrchJobsQuota = <number>

Maximum number of concurrently running real-time searches a member of this role can have.

Defaults to 6 real-time searches.

srchIndexesDefault = <string>

A semicolon delimited list of indexes to search when no index is specified. You can wildcard your entries, however the wildcard '*' does not match internal indexes. Instead, to match internal indexes, start with '_'. All internal indexes are represented by '_*'.

Defaults to no indexes.

srchIndexesAllowed = <string>

A semicolon delimited list of indexes this role is allowed to search.

You can wildcard your entries, however the wildcard '*' will not match internal indexes. Instead, to match internal indexes, start with '_'. All internal indexes are represented by '_*'.

Defaults to no indexes.

Search filter format

The srchFilter field can include any of the following search terms:

source=

host= and host tags

index= and index names

eventtype= and event type tags

sourcetype=

search fields

wildcards

use OR to use multiple terms, or AND to make searches more restrictive.

The search terms cannot include:

saved searches

time operators

regular expressions

any fields or modifiers Splunk Web can overwrite

Example of creating a role in authorize.conf

This example creates the role "ninja", which inherits capabilities from the default "user" role. ninja has almost the same capabilities as the default "power" role, except it cannot schedule searches. In addition:

The search filter limits ninja to searching on host=foo.

ninja is allowed to search all public indexes (those that do not start with underscore) and will search the indexes mail and main if no index is specified in the search.

Add and edit roles with authorize.conf

Enter your email address, and someone from the documentation team will respond to you:

Send me a copy of this feedback

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »